- 1. Executive Summary
- 2. Vietnam's Cyber Threat Landscape
- 3. Cybersecurity Law 2018 (Law 24/2018/QH14)
- 4. Decree 13/2023: Personal Data Protection
- 5. NCSC, VNCERT & National Coordination
- 6. MIC Regulatory Oversight & Circular 20
- 7. Critical Information Infrastructure Protection
- 8. Domestic Cybersecurity Ecosystem
- 9. Financial Sector Cybersecurity (SBV)
- 10. Data Localization & Cross-Border Transfers
- 11. National Digital Transformation & Cyber Implications
- 12. Cybersecurity Talent & Workforce
- 13. Major Cyber Incidents in Vietnam
- 14. Compliance Frameworks & Certifications
- 15. Make in Vietnam Cybersecurity Products
- 16. Frequently Asked Questions
1. Executive Summary
Vietnam is emerging as one of Southeast Asia's most dynamic cybersecurity markets, driven by rapid digital transformation, an expanding regulatory framework, and the government's explicit goal of establishing digital sovereignty. With a population of over 100 million people and internet penetration exceeding 79%, Vietnam's digital economy is projected to reach $43 billion by 2025, creating both enormous opportunity and significant cybersecurity risk across all sectors of the economy.
The cybersecurity market in Vietnam reached approximately $380 million USD in 2025, growing at 16-18% annually. This growth is fueled by the implementation of the Cybersecurity Law 2018, the landmark Decree 13/2023 on personal data protection, escalating cyber threats from both state-sponsored actors and cybercriminal organizations, and the government's ambitious National Digital Transformation Program. The "Make in Vietnam" initiative has further catalyzed the domestic cybersecurity industry, with the government targeting 90% of government agencies to use domestically developed cybersecurity solutions by 2025.
Vietnam's cybersecurity governance operates through a dual-authority model: the Ministry of Information and Communications (MIC) oversees information security for civilian systems through the Authority of Information Security (AIS) and the National Cyber Security Center (NCSC), while the Ministry of Public Security (MPS) manages cybersecurity law enforcement and personal data protection through the Department of Cybersecurity and Hi-tech Crime Prevention (A05). This dual structure creates both comprehensive coverage and coordination challenges that organizations operating in Vietnam must navigate carefully.
Despite significant progress, Vietnam faces structural challenges including a cybersecurity talent shortage of approximately 500,000 professionals, uneven enforcement of regulations, limited cybersecurity investment among small and medium enterprises, and the rapid expansion of the digital attack surface as e-government, fintech, and IoT deployments accelerate ahead of security capacity. This guide provides an authoritative analysis of every dimension of Vietnam's cybersecurity landscape as of early 2026.
2. Vietnam's Cyber Threat Landscape
2.1 Nation-State and APT Activity
Vietnam operates in a complex threat environment shaped by geopolitical tensions in the South China Sea, rapid economic development attracting IP theft, and its position as a growing technology hub. Chinese state-sponsored groups, particularly APT41 (Winnti/Barium), APT31, and Mustang Panda, have consistently targeted Vietnamese government agencies, defense institutions, and organizations involved in South China Sea territorial disputes. These campaigns focus on intelligence gathering, diplomatic communications interception, and technology transfer.
APT32, also known as OceanLotus or Canvas Cyclone, has been extensively documented by security researchers as a Vietnamese state-aligned threat actor. This group has targeted foreign governments, multinational corporations operating in Vietnam, Vietnamese dissidents, and media organizations. Their operations demonstrate sophisticated capabilities including custom malware families (Denis, Cobalt Kitty, Goopy), watering hole attacks against legitimate Vietnamese websites, and advanced social engineering campaigns leveraging Vietnamese-language lures. The existence and documentation of APT32 has implications for Vietnam's international cybersecurity diplomacy and trust-building efforts.
2.2 Cybercrime and Ransomware
NCSC reported over 13,750 cybersecurity incidents targeting Vietnamese information systems in 2024, representing a 30% increase over the previous year. Ransomware attacks have surged significantly, with prominent incidents targeting manufacturing companies, financial institutions, and healthcare providers. The NCSC's threat analysis identifies phishing as the primary initial access vector, accounting for 42% of incidents, followed by exploitation of public-facing applications (28%), and compromised credentials (18%).
Vietnam's rapidly growing e-commerce ecosystem (valued at $20.5 billion in 2024) has attracted increasingly sophisticated cybercriminal operations. Online payment fraud, credential stuffing attacks against banking and fintech platforms, SIM swap attacks enabling unauthorized account access, and sophisticated social engineering campaigns exploiting the widespread use of Zalo and Facebook Messenger for business communications represent persistent threats. The State Bank of Vietnam reported banking-related cyber fraud losses exceeding 10 trillion VND (approximately $400 million USD) in 2024.
2.3 Threat Intelligence by Sector
| Sector | Primary Threat Actors | Common Attack Vectors | Risk Level |
|---|---|---|---|
| Government / Defense | APT41, Mustang Panda, APT31 | Spear-phishing, supply chain, zero-day exploits | Critical |
| Banking / Finance | Cybercriminal syndicates, Lazarus Group | Phishing, credential theft, payment fraud, SIM swap | Critical |
| Manufacturing / FDI | Ransomware groups, IP theft actors | VPN exploitation, ransomware, OT lateral movement | High |
| Telecommunications | State-sponsored groups, APT campaigns | Network infrastructure compromise, SIM cloning | High |
| E-commerce / Fintech | Cybercriminals, fraud rings | Account takeover, API abuse, payment fraud | High |
| Healthcare | Ransomware groups, opportunistic attackers | RDP exposure, unpatched systems, ransomware | Medium-High |
| Energy / Utilities | State-sponsored groups | SCADA targeting, supply chain compromise | High |
3. Cybersecurity Law 2018 (Law 24/2018/QH14)
3.1 Legislative Framework and Scope
The Cybersecurity Law (Luat An ninh mang, Law No. 24/2018/QH14), passed by the National Assembly on June 12, 2018 and effective January 1, 2019, is Vietnam's foundational cybersecurity legislation. The law establishes the legal framework for protecting national security in cyberspace, defining the responsibilities of government agencies, organizations, and individuals in maintaining cybersecurity. The Ministry of Public Security (MPS) serves as the primary enforcement body, while MIC retains jurisdiction over information security for civilian systems.
The Cybersecurity Law applies broadly to all domestic and foreign organizations operating information systems, providing services, or storing data in Vietnamese cyberspace. Key provisions include classification of information systems into categories based on national security impact, requirements for cybersecurity audits and assessments of systems classified as national security systems, obligations for service providers to cooperate with law enforcement in cybersecurity investigations, provisions for content management and removal of content deemed harmful to national security, and the controversial data localization requirements under Article 26 that require certain enterprises to store Vietnamese user data within Vietnam.
Article 10 -- Information System Classification: Systems are classified based on their impact on national security. Systems handling state secrets, critical infrastructure, and national defense are designated for enhanced protection requirements.
Article 26 -- Data Localization: Enterprises providing services on telecommunications networks, the internet, or value-added services in cyberspace in Vietnam that collect, exploit, analyze, or process personal data, data on service users' relationships, and data generated by service users in Vietnam must store such data in Vietnam. Foreign enterprises must establish branches or representative offices in Vietnam.
Article 24 -- Cybersecurity Incident Response: Organizations must implement cybersecurity measures proportionate to their system classification, conduct regular assessments, and coordinate with MPS during incident investigation.
Article 16 -- Content Management: Service providers must prevent, detect, and remove content violating cybersecurity provisions within 24 hours of receiving a request from competent authorities.
3.2 Implementing Decrees and Guidance
The Cybersecurity Law has been supplemented by multiple implementing decrees that provide operational detail. Decree 53/2022/ND-CP (effective September 2022) elaborates on the data localization provisions, specifying the categories of data subject to localization, the conditions triggering localization requirements, and the procedures for compliance. Notably, Decree 53 clarifies that data localization is not universally mandatory but applies when triggered by specific conditions including a request from competent authorities based on national security needs.
Decree 13/2023/ND-CP on personal data protection (discussed in detail in Section 4) operates alongside the Cybersecurity Law to create a comprehensive data governance framework. While the Cybersecurity Law addresses data from a national security perspective, Decree 13 focuses on individual data rights and organizational obligations. Organizations must comply with both frameworks simultaneously, which requires careful mapping of overlapping requirements and coordination between MPS (Cybersecurity Law enforcement) and MPS's Department of Cybersecurity (Decree 13 enforcement).
3.3 Enforcement Landscape
Enforcement of the Cybersecurity Law has been progressive rather than immediate. The MPS Department of Cybersecurity and Hi-tech Crime Prevention (A05, formerly C50) has focused initial enforcement efforts on large domestic platforms, social media companies, and telecommunications providers. International technology companies including Google, Facebook (Meta), Apple, and TikTok have established compliance mechanisms for Vietnamese government requests, including content removal and data disclosure. The enforcement pace is accelerating, with MPS reporting over 200 administrative enforcement actions in 2024 related to cybersecurity violations, up from fewer than 50 in 2021.
4. Decree 13/2023: Personal Data Protection
4.1 Vietnam's GDPR Equivalent
Decree 13/2023/ND-CP on Personal Data Protection, effective July 1, 2023, represents Vietnam's most comprehensive data privacy regulation and is often characterized as Vietnam's equivalent to the EU's GDPR. Issued by the Government (executive branch) rather than the National Assembly, it operates as a sub-law regulation with enforcement authority vested in the Department of Cybersecurity under MPS. The decree applies to all organizations and individuals in Vietnam that process personal data, as well as foreign organizations processing the personal data of Vietnamese citizens.
Decree 13 introduces fundamental data protection concepts previously absent from Vietnamese law, including the formal distinction between data controllers (ben kiem soat du lieu) and data processors (ben xu ly du lieu), data subject rights modeled on GDPR principles, data protection impact assessment (DPIA) requirements, cross-border data transfer regulations, and breach notification obligations. However, key differences from GDPR include the absence of an independent data protection authority (enforcement is handled by MPS rather than an independent body), the requirement to file cross-border transfer impact assessments with government authorities, and the relatively limited enforcement track record given the decree's recent implementation.
4.2 Key Provisions and Requirements
| Provision | Decree 13/2023 Requirement | GDPR Comparison |
|---|---|---|
| Data Categories | Basic personal data and sensitive personal data (11 categories including health, political views, ethnicity, location data) | Personal data and special categories of data (Art. 9) |
| Consent | Explicit, voluntary, informed consent required; must be documented; withdrawable | Similar requirements under Art. 7; additional legal bases available |
| Data Subject Rights | Access, correction, deletion, restriction of processing, objection, data portability, complaint | Substantially similar rights under Chapter III |
| Breach Notification | 72 hours to Department of Cybersecurity (MPS) | 72 hours to supervisory authority (Art. 33) |
| DPIA | Required for sensitive data processing; filed with Department of Cybersecurity | Required for high-risk processing (Art. 35); not filed with authority |
| Cross-Border Transfer | Transfer impact assessment filed with MPS within 60 days; must maintain copy of data in Vietnam | Adequacy decisions, SCCs, BCRs (Chapter V) |
| DPO Requirement | Data protection department or assigned personnel required | DPO mandatory for public bodies and large-scale processing |
| Enforcement Authority | Department of Cybersecurity, MPS (not independent) | Independent supervisory authorities (Art. 51) |
| Penalties | Administrative fines up to 100 million VND (~$4,000 USD); criminal liability for severe violations | Up to 4% global turnover or 20 million EUR |
4.3 Compliance Implementation Roadmap
Organizations operating in Vietnam should follow a structured compliance approach for Decree 13:
- Data Inventory and Classification: Map all personal data assets, classify as basic or sensitive, identify data flows including cross-border transfers, and document processing purposes and legal bases.
- Consent Mechanism Overhaul: Implement granular consent collection for each processing purpose, ensure consent records are maintained, and establish consent withdrawal mechanisms.
- Data Protection Impact Assessment: Conduct DPIAs for all sensitive data processing activities and file with the Department of Cybersecurity within 60 days of commencing processing.
- Cross-Border Transfer Assessment: For any data transferred outside Vietnam, prepare and file a transfer impact assessment with MPS, maintain a domestic copy of transferred data, and document security measures protecting the transfer.
- Data Subject Rights Procedures: Establish processes to fulfill data subject access, correction, deletion, and portability requests within the mandated timeframes.
- Breach Response Plan: Implement 72-hour notification procedures to the Department of Cybersecurity, including incident classification, evidence preservation, and communication templates.
- Organizational Measures: Designate data protection personnel, implement employee training programs, and establish internal audit procedures for ongoing compliance monitoring.
5. NCSC, VNCERT & National Coordination
5.1 National Cyber Security Center (NCSC)
The National Cyber Security Center (NCSC, Trung tam Giam sat an toan khong gian mang quoc gia), operating under the Authority of Information Security (AIS) within the Ministry of Information and Communications, serves as Vietnam's primary technical cybersecurity monitoring and coordination center. NCSC was established to consolidate national-level cybersecurity monitoring capabilities and coordinates with VNCERT (Vietnam Computer Emergency Response Team), which handles incident response operations.
NCSC's core operational capabilities include 24/7 monitoring of approximately 4,000 government information systems through a centralized Security Operations Center, national-level threat intelligence collection and analysis, malware analysis through the national malware analysis laboratory, coordination of cybersecurity incident response across government agencies, management of the national cybersecurity exercise program, certification and oversight of information security auditing organizations, and publication of annual cybersecurity threat assessments and advisories. In 2024, NCSC detected and handled over 13,750 cybersecurity incidents, including 4,800 phishing attacks, 2,100 website defacements, and 1,250 malware infections targeting government systems.
5.2 VNCERT Operations
VNCERT (Vietnam Computer Emergency Response Team, now operating as VNCERT/CC under AIS/MIC) serves as Vietnam's national CERT and represents Vietnam in the international CERT community, including membership in FIRST (Forum of Incident Response and Security Teams) and APCERT (Asia Pacific Computer Emergency Response Team). VNCERT/CC coordinates vulnerability disclosure for Vietnamese organizations, manages the national incident reporting system, and operates the .vn domain security monitoring program.
VNCERT/CC's international cooperation activities include bilateral cybersecurity cooperation agreements with CERTs in Japan (JPCERT/CC), South Korea (KrCERT/CC), Australia (ACSC), Singapore (SingCERT), and the United States (US-CERT). These partnerships facilitate threat intelligence sharing, joint incident investigation, and capacity building. VNCERT/CC also participates in the ASEAN CERT network and the ASEAN-Japan Cybersecurity Capacity Building Centre in Thailand, reflecting Vietnam's active engagement in regional cybersecurity cooperation.
5.3 Dual Authority Model: MIC vs. MPS
Vietnam's cybersecurity governance operates through a dual-authority structure that organizations must carefully navigate. MIC (through AIS and NCSC) is responsible for information security standards, civilian system monitoring, information security auditing certification, and technical cybersecurity capacity building. MPS (through the Department of Cybersecurity and Hi-tech Crime Prevention, A05) is responsible for Cybersecurity Law enforcement, personal data protection under Decree 13, cybercrime investigation, and content management directives.
Reporting to MIC/NCSC: Information security incidents affecting government information systems; annual security audit reports for classified systems; information security product and service certifications.
Reporting to MPS/A05: Data breaches involving personal data (72-hour notification under Decree 13); cybercrime incidents requiring law enforcement investigation; data localization compliance under the Cybersecurity Law; cross-border data transfer impact assessments.
Practical Guidance: Organizations should maintain relationships with both authorities, understand which incidents require reporting to which body (or both), and ensure compliance teams are familiar with the distinct regulatory instruments administered by each ministry.
6. MIC Regulatory Oversight & Circular 20
6.1 Information Security Level Classification
Circular 20/2017/TT-BTTTT, issued by MIC and updated by Circular 12/2022/TT-BTTTT, establishes the information security classification framework for information systems operated by government agencies and organizations in Vietnam. The circular defines five security levels based on the potential impact of a security breach on national security, public order, and socioeconomic activities.
| Level | Classification | Impact | Requirements |
|---|---|---|---|
| Level 1 | Low | Limited impact on operations | Basic security controls, self-assessment |
| Level 2 | Moderate | Moderate impact on operations and services | Standard controls, internal security review |
| Level 3 | Significant | Significant impact on public services and society | Annual audit by MIC-certified auditor, continuous monitoring |
| Level 4 | High | Serious impact on national security and public order | Enhanced controls, annual audit, 24/7 monitoring, incident response team |
| Level 5 | Critical | Critical impact on national security, defense, sovereignty | Maximum controls, continuous audit, dedicated SOC, coordination with NCSC |
6.2 Security Audit Requirements
Information systems classified at Level 3 and above are required to undergo annual security audits conducted by organizations certified by MIC. As of 2025, MIC has certified approximately 45 information security auditing organizations, including major domestic players such as Viettel Cyber Security, BKAV, FPT IS, CMC Cyber Security, and VNPT Cyber Immunity, as well as international firms with Vietnamese operations. The audit scope covers technical vulnerability assessment, configuration review, penetration testing, compliance assessment against Circular 20 requirements, and organizational security management practices.
Decree 85/2016/ND-CP further specifies information system security requirements based on classification level, mandating specific technical controls including network segmentation, access control, encryption, logging and monitoring, backup and recovery, and incident response capabilities. The decree requires system owners to submit annual security assessment reports to the competent authority (MIC for civilian systems, MPS for systems related to national security) and to remediate identified vulnerabilities within specified timeframes.
6.3 Information Security Standards Framework
Vietnam has developed a national information security standards framework aligned with international standards. TCVN ISO/IEC 27001 (the Vietnamese national standard equivalent of ISO 27001) is the primary ISMS certification standard. MIC has also published Vietnamese translations and adaptations of ISO 27002, ISO 27005 (risk management), and ISO 27035 (incident management). For government systems, compliance with TCVN 11930:2017 (information technology security requirements) provides a baseline for security controls that maps to the Circular 20 classification framework.
7. Critical Information Infrastructure Protection
7.1 Designated Critical Sectors
Vietnam's critical information infrastructure (CII) protection framework, established under the Cybersecurity Law and elaborated by implementing decrees, designates eight critical sectors requiring enhanced cybersecurity protections. CII operators must implement security measures proportionate to the potential impact of compromise and coordinate with both MIC and MPS for incident response and security assessments.
MIC
SBV
MOIT
MOT
MOC
MOH
MIC/MPS
MOIT
7.2 CII Security Requirements
Critical information infrastructure operators face elevated security obligations including mandatory security assessments at least annually (more frequently for Level 4-5 systems), 24/7 security monitoring with SOC capabilities, incident reporting to NCSC within 4 hours of detection for critical incidents, business continuity and disaster recovery planning with tested failover capabilities, participation in national cybersecurity exercises coordinated by NCSC, and supply chain security assessments for critical technology vendors and service providers.
The implementation of CII protection requirements has been uneven across sectors. The banking and telecommunications sectors, subject to additional regulatory oversight from the State Bank of Vietnam and MIC respectively, have achieved the highest compliance rates. The energy, transportation, and healthcare sectors face greater challenges due to legacy OT systems, limited cybersecurity budgets, and the complexity of securing geographically distributed infrastructure. NCSC's 2025 assessment found that 67% of designated CII operators met baseline security requirements, up from 45% in 2022.
8. Domestic Cybersecurity Ecosystem
8.1 Viettel Cyber Security (VCS)
Viettel Cyber Security (VCS), the cybersecurity arm of the military-owned Viettel Group (Vietnam's largest telecommunications company), has emerged as Vietnam's most prominent cybersecurity provider. VCS offers a comprehensive portfolio including managed SOC services, threat intelligence, penetration testing, red team operations, digital forensics, and cybersecurity consulting. VCS operates the Viettel Threat Intelligence platform, which aggregates threat data from Viettel's extensive telecommunications network covering over 70 million subscribers.
VCS has gained international recognition through its bug bounty achievements, with VCS researchers consistently ranking among the top vulnerability reporters to Microsoft, Google, Apple, and other major technology companies. In 2024, VCS researchers disclosed over 150 critical vulnerabilities to major vendors and earned $500,000+ in bug bounty rewards. VCS also operates Vietnam's largest commercial SOC, monitoring over 500 enterprise clients, and has expanded operations internationally to markets including Myanmar, Cambodia, Laos, and East Timor through Viettel's regional telecommunications operations.
8.2 BKAV Corporation
BKAV Corporation, founded in 1995 by Nguyen Tu Quang, is Vietnam's pioneer cybersecurity company and best known for BKAV Antivirus, which holds the dominant market share for endpoint security in Vietnam. BKAV has evolved from a pure antivirus vendor into a diversified technology company offering AI-powered security solutions, IoT security products (including the Bphone smartphone line), and enterprise security services. BKAV's security research team maintains a malware analysis laboratory and publishes regular threat assessments focused on the Vietnamese threat landscape.
BKAV's endpoint detection platform, BKAV Pro, incorporates machine learning-based malware detection and behavioral analysis capabilities. The company has invested heavily in AI-driven security, including natural language processing for Vietnamese-language phishing detection and computer vision for deepfake detection. BKAV also provides cybersecurity training services and operates the BKAV Academy, contributing to Vietnam's cybersecurity workforce development. The company's government contracts include cybersecurity monitoring for multiple ministry-level information systems.
8.3 FPT Information System Security
FPT Information System Security (FPT IS Security), part of FPT Corporation (Vietnam's largest IT services company), provides managed security services, compliance consulting, security audit services, and system integration for cybersecurity solutions. FPT IS Security is one of the MIC-certified information security auditing organizations and conducts Circular 20 compliance audits for government agencies and enterprises. The company operates a Security Operations Center and provides incident response services primarily focused on the enterprise market.
FPT's broader cybersecurity involvement extends through FPT Telecom (ISP security services), FPT Software (secure development practices for outsourced software projects serving international clients), and FPT Smart Cloud (cloud security services). FPT has partnered with international vendors including Fortinet, Palo Alto Networks, and CrowdStrike to deliver integrated security solutions, while also developing proprietary security tools including FPT's AI-powered threat detection platform and secure code review tools used in their software outsourcing operations.
8.4 Broader Domestic Ecosystem
| Company | Core Capabilities | Notable Strengths |
|---|---|---|
| Viettel Cyber Security (VCS) | SOC, threat intelligence, pen testing, red team | Largest commercial SOC; international bug bounty recognition |
| BKAV Corporation | Endpoint security, antivirus, IoT security, AI security | Dominant domestic endpoint market; AI-driven detection |
| FPT IS Security | Managed security, compliance audit, system integration | MIC-certified auditor; enterprise market leader |
| CMC Cyber Security | SOC, vulnerability assessment, security consulting | Strong enterprise market; cloud security focus |
| VNPT Cyber Immunity | Network security, DDoS protection, ISP security | Telecommunications infrastructure security expertise |
| CyRadar | Threat intelligence, AI-based detection, MDR | Machine learning platform; startup innovation |
| VinCSS | Automotive security, IoT security, FIDO2 authentication | FIDO Alliance member; automotive cybersecurity for VinFast |
| SecurityBox (GTN) | Web application security, penetration testing | Application security specialization; DevSecOps |
9. Financial Sector Cybersecurity (SBV)
9.1 State Bank of Vietnam Regulatory Framework
The State Bank of Vietnam (SBV, Ngan hang Nha nuoc Viet Nam) oversees cybersecurity for the financial sector through a comprehensive regulatory framework encompassing IT risk management, transaction security, and incident reporting. The SBV's regulatory approach has intensified significantly since 2020, driven by the rapid growth of digital banking, mobile payments, and fintech services, combined with escalating cyber fraud targeting Vietnamese banking customers.
Key SBV cybersecurity regulations include Circular 09/2020/TT-NHNN on IT risk management for credit institutions and payment intermediaries, which mandates risk assessment frameworks, IT security policies, incident response plans, and annual IT audits. Circular 35/2016/TT-NHNN governs information security for banking operations, requiring network segmentation between internet-facing and core banking systems, multi-factor authentication, encryption of sensitive data, and security monitoring. Decision 2345/QD-NHNN (effective July 2024) mandates biometric authentication for electronic banking transactions above 10 million VND and all online transfers to new recipients, representing one of the most stringent banking authentication requirements in Southeast Asia.
9.2 Digital Banking Security
Vietnam's digital banking sector has experienced explosive growth, with mobile banking users exceeding 60 million and digital payment transactions growing at 40%+ annually. This expansion has been accompanied by sophisticated fraud campaigns including social engineering attacks impersonating bank officials via Zalo and phone calls, phishing websites replicating legitimate banking portals, malware targeting mobile banking applications, and SIM swap attacks enabling unauthorized account access.
The SBV's Decision 2345 biometric authentication mandate was specifically designed to combat these fraud vectors. Under this decision, all banks must collect and verify customer biometric data (facial recognition) for transactions above specified thresholds. The implementation has been technically challenging, requiring banks to deploy facial recognition systems, establish biometric databases, and manage the privacy implications of biometric data collection under Decree 13/2023. Major banks including Vietcombank, BIDV, VietinBank, and Techcombank have invested heavily in biometric authentication infrastructure, with the SBV reporting a 35% reduction in online fraud incidents in the six months following implementation.
9.3 Fintech and Digital Payment Security
Vietnam's fintech ecosystem, including e-wallets (MoMo, ZaloPay, VNPay, ShopeePay), peer-to-peer lending platforms, and digital banks, operates under the SBV's regulatory umbrella. Circular 39/2014 (amended by Circular 23/2019) governs electronic wallet operations, requiring operators to implement transaction monitoring, fraud detection systems, KYC verification, and data encryption. The SBV's sandbox regulatory framework (Decree 13/2024) for fintech innovation includes cybersecurity as a mandatory assessment criterion for sandbox participants.
10. Data Localization & Cross-Border Transfers
10.1 Article 26 Data Localization Requirements
Article 26 of the Cybersecurity Law 2018 establishes Vietnam's data localization framework, requiring enterprises providing services on telecommunications networks, the internet, or value-added services in Vietnamese cyberspace that collect, exploit, analyze, or process certain categories of data to store such data in Vietnam. The scope includes personal data of Vietnamese users, data on users' relationships, and data generated by users in Vietnam. Foreign enterprises meeting these criteria must also establish branches or representative offices in Vietnam.
Decree 53/2022/ND-CP, implementing Article 26, clarifies the conditions under which data localization obligations are triggered. Importantly, the localization requirement is not automatic for all data but is activated when the Ministry of Public Security determines that data localization is necessary for cybersecurity purposes and issues a written request to the enterprise. This conditioned approach provides more flexibility than a blanket localization mandate but creates uncertainty for enterprises that must design their data architectures to accommodate potential localization requests.
10.2 Cross-Border Transfer Under Decree 13
Decree 13/2023 introduces additional requirements for cross-border transfers of personal data. Organizations transferring personal data outside Vietnam must prepare a transfer impact assessment document (dossier) and file it with the Department of Cybersecurity under MPS within 60 days of the initial transfer. The assessment must include the purpose and scope of the transfer, types of personal data being transferred, identity and security measures of the receiving party, security measures protecting the transfer, and assessment of the receiving country's data protection framework.
Crucially, Decree 13 requires that a copy of the transferred personal data must be maintained in Vietnam, creating a de facto data localization requirement for personal data even when cross-border transfers are permitted. The decree does not establish an adequacy mechanism similar to GDPR, meaning that each transfer requires individual assessment regardless of the destination country's data protection standards.
11. National Digital Transformation & Cyber Implications
11.1 National Digital Transformation Program
Decision 749/QD-TTg (approved June 2020) establishes Vietnam's National Digital Transformation Program targeting three pillars: digital government (100% of administrative services available online by 2025), digital economy (20% of GDP from the digital economy by 2025), and digital society (universal digital literacy and inclusion). The cybersecurity implications of this accelerated digitalization are profound, as it expands the national attack surface across e-government portals, digital identity systems, smart city infrastructure, and IoT deployments.
The program explicitly recognizes cybersecurity as a prerequisite for digital transformation success and sets specific cybersecurity targets: minimum 10% of IT budgets allocated to cybersecurity for government agencies, 90% of government agencies using domestic cybersecurity solutions, 100% of government information systems classified and meeting minimum security requirements, and establishment of SOC capabilities for all ministry-level agencies. These targets have driven significant investment in cybersecurity infrastructure and created a substantial domestic market for Vietnamese cybersecurity companies.
11.2 E-Government Security
Vietnam's e-government expansion, including the National Public Service Portal (dichvucong.gov.vn), digital identity system (VNeID), and interagency data sharing platforms, creates critical cybersecurity requirements. The VNeID digital identity system, rolled out nationally beginning in 2023, contains biometric data (fingerprints and facial recognition) for over 80 million citizens, making its security a national priority. MPS manages VNeID security, implementing multi-layer authentication, hardware security modules for key management, and dedicated monitoring through the NCSC.
10% minimum: IT budget allocated to cybersecurity for all government agencies.
90% target: Government agencies using domestically developed (Make in Vietnam) cybersecurity solutions by 2025.
100% target: Government information systems classified under Circular 20 with minimum security requirements implemented.
SOC for all: All ministry-level agencies to establish or contract SOC monitoring capabilities.
Zero trust adoption: Piloting zero trust architecture for government networks beginning 2025.
12. Cybersecurity Talent & Workforce
12.1 Scale of the Talent Gap
Vietnam faces a critical cybersecurity talent shortage estimated at 500,000 professionals needed to adequately protect the nation's rapidly expanding digital infrastructure, against a current workforce of approximately 50,000 qualified cybersecurity professionals. The government's target of training 1,000 cybersecurity experts annually through university programs falls far short of demand, creating both an urgent national security concern and a significant market opportunity for cybersecurity education and training providers.
12.2 Education and Training Pipeline
Vietnam's cybersecurity education ecosystem has expanded significantly, with dedicated programs at major institutions including Hanoi University of Science and Technology (HUST), Posts and Telecommunications Institute of Technology (PTIT), FPT University, Ho Chi Minh City University of Technology (HCMUT), University of Information Technology (UIT-VNU-HCM), and the Academy of Cryptography Techniques (under the Ministry of National Defense). These programs produce approximately 2,000-3,000 graduates annually with cybersecurity-related qualifications.
Beyond formal education, Vietnam has a thriving competitive cybersecurity community. Vietnamese teams consistently perform well in international CTF (Capture the Flag) competitions, with teams from HUST, VinCSS, and BKAV achieving top rankings. The annual Whitehat Grand Prix, organized by VNISA and BKAV, attracts international participation and serves as both a talent identification mechanism and a showcase for Vietnamese cybersecurity capabilities.
13. Major Cyber Incidents in Vietnam
13.1 Vietnam Airlines / Airport Hack (2016)
In July 2016, hackers attributed to the Chinese group 1937CN compromised the websites and flight information display systems of Vietnam Airlines, Noi Bai International Airport (Hanoi), and Tan Son Nhat International Airport (Ho Chi Minh City). The attackers defaced flight information screens with political messages related to South China Sea disputes and leaked personal data of approximately 411,000 Vietnam Airlines frequent flyer members. The incident forced airports to switch to manual check-in procedures and exposed critical vulnerabilities in aviation sector cybersecurity.
This incident served as a catalyst for Vietnam's cybersecurity legislative program, directly contributing to the urgency behind the Cybersecurity Law 2018. The government response included establishing the Aviation Cyber Security Task Force, mandating enhanced security requirements for all aviation information systems, and conducting comprehensive vulnerability assessments across the sector. The incident also highlighted the intersection of cybersecurity and geopolitics in Vietnam's threat environment.
13.2 Banking and Financial Fraud Campaigns
The Vietnamese banking sector has faced persistent and evolving cyber threats. In 2023-2024, sophisticated phishing campaigns targeting banking customers across multiple institutions resulted in estimated losses exceeding 10 trillion VND. These campaigns utilized convincing replicas of banking websites, social engineering via Zalo and phone calls (vishing), and malware distributed through fraudulent mobile applications. The SBV's Decision 2345 mandating biometric authentication was a direct response to the scale of these fraud operations.
13.3 Ransomware and Enterprise Attacks
NCSC has documented a significant increase in ransomware attacks targeting Vietnamese enterprises, particularly manufacturing companies operating in industrial zones, technology companies, and healthcare institutions. Notable incidents include the 2024 attack on a major Vietnamese electronics manufacturer that disrupted production for five days, and ransomware targeting multiple hospitals in Ho Chi Minh City that encrypted patient records and forced manual operations. The average ransom demand against Vietnamese organizations in 2024 was approximately $200,000-500,000 USD, lower than global averages but significant in the Vietnamese market context.
14. Compliance Frameworks & Certifications
14.1 Organizational Standards and Certifications
| Framework/Certification | Scope | Requirement Type | Key Application |
|---|---|---|---|
| TCVN ISO/IEC 27001 (ISMS) | All sectors | Voluntary (de facto required for enterprises) | Enterprise information security management |
| Circular 20 Classification | Government / CII | Mandatory for government systems | Five-level security classification framework |
| Decree 85/2016 Compliance | Government / CII | Mandatory for classified systems | Information system security requirements |
| Decree 13/2023 Compliance | All sectors processing personal data | Mandatory | Personal data protection |
| SBV Circular 09/2020 | Financial institutions | Mandatory for credit institutions | IT risk management for banking |
| PCI DSS v4.0 | Payment card industry | Mandatory for card processors | Credit card data handling |
| SOC 2 Type II | Service providers | Voluntary (required by international clients) | IT outsourcing and SaaS providers |
| ISO/IEC 27017 + 27018 | Cloud services | Voluntary | Cloud security and PII protection |
| TCVN 11930:2017 | Government IT | Mandatory for government systems | IT security requirements baseline |
14.2 MIC-Certified Security Auditing Organizations
MIC maintains a registry of certified information security auditing organizations authorized to conduct Circular 20 compliance audits for government agencies and critical infrastructure operators. Certification requires demonstrating qualified personnel (certified auditors with CISSP, CISA, or equivalent credentials), appropriate auditing methodologies, insurance coverage, and independence from the audited entity. As of 2025, approximately 45 organizations hold MIC audit certification, creating a competitive market for compliance audit services.
15. Make in Vietnam Cybersecurity Products
15.1 Government Push for Domestic Solutions
The "Make in Vietnam" initiative, championed by MIC, promotes the development and adoption of domestically produced cybersecurity solutions. The government's target of 90% of government agencies using domestic cybersecurity solutions by 2025 has created significant market pull for Vietnamese cybersecurity companies and stimulated investment in domestic product development. Priority product categories include antivirus and endpoint protection, network security monitoring, SIEM/SOC platforms, email security, web application firewalls, and threat intelligence platforms.
The Make in Vietnam cybersecurity initiative reflects both economic development goals (building a domestic cybersecurity industry) and national security considerations (reducing dependency on foreign security products for government systems). MIC publishes an annual catalog of recommended domestic cybersecurity products that meet government security standards, and procurement preference policies incentivize government agencies to select domestic products when they meet technical requirements.
15.2 Notable Domestic Products
- BKAV Pro Endpoint Security: AI-powered endpoint protection with Vietnamese-language threat detection and behavioral analysis, holding dominant domestic market share.
- Viettel Threat Intelligence Platform (VTI): Threat intelligence aggregation platform leveraging Viettel's telecommunications network data for Vietnam-specific threat indicators.
- CyRadar MDR Platform: Machine learning-based managed detection and response platform developed by a Vietnamese startup, focusing on network traffic analysis and threat hunting.
- VinCSS FIDO2 Authentication: FIDO Alliance-certified authentication solutions developed by VinCSS (part of Vingroup), deployed in banking and government applications.
- CMC SOC Platform: Domestically developed SIEM and SOC management platform used by CMC Cyber Security for managed security services.
16. Frequently Asked Questions
The Vietnam Cybersecurity Law (Law No. 24/2018/QH14), effective January 1, 2019, is Vietnam's foundational cybersecurity legislation. It mandates that domestic and foreign enterprises providing services on telecommunications networks or the internet in Vietnam must store data of Vietnamese users within Vietnam when requested by authorities, establish local offices or representatives, and comply with information system classification requirements. The law empowers MPS and MIC to conduct cybersecurity audits and establishes the legal framework for incident response, investigation, and content management. Decree 53/2022 elaborates on the data localization provisions.
Decree 13/2023/ND-CP, effective July 1, 2023, is Vietnam's comprehensive personal data protection regulation. It defines personal data categories (basic and sensitive), establishes data subject rights (access, correction, deletion, restriction, portability), requires explicit consent for data processing, mandates DPIAs for sensitive data, requires cross-border transfer impact assessments filed with MPS, and imposes 72-hour breach notification obligations. Organizations must designate data protection personnel and maintain processing records. It is enforced by the Department of Cybersecurity under MPS.
NCSC (National Cyber Security Center) operates under MIC's Authority of Information Security, providing 24/7 monitoring of government systems, national threat intelligence, malware analysis, and cybersecurity exercise coordination. VNCERT/CC handles incident response coordination, vulnerability disclosure, and international CERT cooperation (FIRST and APCERT membership). Together they detected and handled over 13,750 incidents in 2024. NCSC also certifies information security auditing organizations and publishes annual threat assessments for Vietnamese organizations.
Circular 20/2017 (updated by Circular 12/2022) establishes five security levels for government information systems. Level 3+ systems require annual audits by MIC-certified auditors. TCVN ISO/IEC 27001 is the primary ISMS standard. Decree 85/2016 mandates specific technical controls based on system classification. For banking, SBV Circular 09/2020 governs IT risk management. PCI DSS is required for card processors. SOC 2 Type II is increasingly required by international clients of Vietnamese IT outsourcing companies. TCVN 11930:2017 provides the baseline for government IT security.
Vietnam's cybersecurity market reached approximately $380 million USD in 2025, growing at 16-18% annually. Major domestic players include Viettel Cyber Security (SOC, threat intelligence, pen testing), BKAV (endpoint security, antivirus, AI security), FPT IS Security (managed security, compliance audit), CMC Cyber Security, and VNPT Cyber Immunity. International vendors including Fortinet, Palo Alto Networks, CrowdStrike, and Kaspersky maintain significant presence. The Make in Vietnam initiative targets 90% domestic cybersecurity product adoption in government by 2025.
Data localization stems from Article 26 of the Cybersecurity Law (implemented by Decree 53/2022) and Decree 13/2023. Under the Cybersecurity Law, enterprises must store Vietnamese user data domestically when requested by MPS. Under Decree 13, cross-border transfers require impact assessments filed with MPS, and a copy of personal data must be maintained in Vietnam. Banking data faces stricter localization under SBV regulations. The requirements are not blanket mandates but are condition-triggered, creating compliance uncertainty that organizations must manage through flexible data architecture design.
Vietnam faces a shortage of approximately 500,000 cybersecurity professionals against a current workforce of roughly 50,000. Major training institutions include HUST, PTIT, FPT University, and the Academy of Cryptography Techniques, producing 2,000-3,000 graduates annually. Vietnam excels in international CTF competitions. Average salaries range from $8,000-25,000 USD annually, making Vietnam attractive for cybersecurity outsourcing. The government targets establishing cybersecurity centers of excellence at five universities and training 1,500 experts annually by 2025.
Key incidents include the 2016 Vietnam Airlines/airport hack by Chinese-attributed group 1937CN that defaced flight displays and leaked 411,000 customer records; persistent banking fraud campaigns resulting in estimated losses exceeding 10 trillion VND in 2023-2024; ransomware attacks targeting manufacturing and healthcare sectors with increasing frequency; and NCSC reporting 13,750+ incidents in 2024 alone. The Vietnam Airlines incident directly catalyzed the Cybersecurity Law 2018, and banking fraud drove the SBV's biometric authentication mandate (Decision 2345).
The State Bank of Vietnam (SBV) regulates through Circular 09/2020 (IT risk management for credit institutions), Circular 35/2016 (information security for banking operations), and Decision 2345 (biometric authentication for electronic banking). Requirements include network segmentation, multi-factor authentication, encryption, transaction monitoring, and 24-hour incident reporting. PCI DSS is mandatory for card processors. The SBV conducts periodic cybersecurity inspections and has established a fintech sandbox (Decree 13/2024) with cybersecurity as a mandatory assessment criterion.
Decision 749/QD-TTg targets digital government (100% online services), digital economy (20% of GDP), and digital society by 2025/2030. Cybersecurity implications include mandatory 10% IT budget allocation to security for government agencies, 90% domestic cybersecurity solution adoption target, SOC capabilities for all ministries, and zero trust architecture piloting. The program has driven significant cybersecurity investment and created market opportunities for Vietnamese security companies under the Make in Vietnam initiative.
Seraphim Vietnam provides cybersecurity consulting services for organizations operating in Vietnam. Our expertise spans Decree 13/2023 compliance, Circular 20 security classification audits, data localization architecture design, SBV compliance for financial institutions, and cybersecurity strategy development aligned with Vietnam's regulatory framework. Contact our Vietnam cybersecurity advisory team to discuss your requirements.